A fix is available
APAR status
Closed as program error.
Error description
When Spnego is configured within security domain only and working, if there is a need to add an additional SPN. After you update the keytab, and then proceed to adminconsole to add the new hostname entry it will not be found. This happens because when a new hostname is being added, WebSphere code doesn't set the location of krb5.ini/conf file, as a result, it is loaded from the default location. Here is a trace snippet: ------------------------------ 000000da SystemOut O [JGSS_DBG_PROV] WebContainer : 0 getFactory: index = 1 found factory caller = com.ibm.security.jgss.GSSCaller@52bb90dd 000000da SystemOut O [KRB_DBG_CFG] Config:WebContainer : 0: Config name: /etc/krb5.conf 000000da SystemOut O [JGSS_DBG_CRED] WebContainer : 0 Name cannonicalization complete, resulting name string=HTTP/[email protected] ------------------------------ As you can see the default operating system location of krb5.conf file and kerberos realm name (EXAMPLE.COM), as a result, it also didn't read right keytab file. The exception thrown is this: ------------------------------ GSSException SourceId:com.ibm.ws.security.auth.kerberos.admintask. validateKrb5Spn ProbeId:1190 Reporter:com.ibm.ws.security.auth.kerberos. admintask.SpnegoCommandProviderImpl@ef3d1bdd org.ietf.jgss.GSSException, major code: 13, minor code: 0 major string: Invalid credentials minor string: Kerberos error getting credential from JAAS Subject: {0} at com.ibm.security.jgss.i18n.I18NException.throwGSSException (I18NException.java:34) at com.ibm.security.jgss.mech.krb5.x.b(x.java:6) at com.ibm.security.jgss.mech.krb5.x.a(x.java:379) ------------------------------
Local fix
1) Remove the security domain, recreate and configure spnego, starting with a keytab that contains all the SPN entries you need. You will then be able to add all the corresponding hostname filters. 2) Configure spnego in global security instead of in a security domain.
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * **************************************************************** * PROBLEM DESCRIPTION: Modifications in krb5.conf or keytab * * file might not be honored during * * runtime. * **************************************************************** * RECOMMENDATION: * **************************************************************** Although WebSphere Application Server is designed to honor a newly configured parameter in krb5.conf file or keytab file during runtime, there was a scenario which is not the case.
Problem conclusion
With this fix, the security code was modified to reload krb5.conf file and keytab files in order to honor the latest value prior to validating whether the given SPN name is valid. The fix for this APAR is currently targeted for inclusion in fix pack 8.5.0.2. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PM72843
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-09-13
Closed date
2012-10-02
Last modified date
2012-10-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
01 November 2021